ISO 27018 – the international standard for protecting PII in the public cloud – Where are we now?

Since its release in August 2014, ISO 27018 is becoming well established as the “go to” standard to help cloud customers to comply with their privacy obligations when using public cloud services. Privacy regulators recognise and refer to the new standard. Cloud customers are using it in their RFP requirements and in their assessments of CSPs. And CSPs themselves can and should adopt and commit to the new standard.

We reported last year about the publication of this new standard: “ISO/IEC 27018:2014 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (“ISO 27018”).

In a subsequent post, we discussed how ISO 27018 helps cloud customers in Singapore to comply with Singapore’s Personal Data Protection Act (PDPA). We concluded that if a cloud customer engages a cloud services provider (CSP) that complies with ISO 27018 (e.g. adopts and contractually commits to ISO 27018), then the cloud customer can be confident that the CSP’s solution will help the cloud customer to comply with its key legal obligations under the PDPA relevant to its use of cloud services. We carried out the same research for other countries and the same conclusion applies: Cloud customers who use CSPs that comply with ISO 27018 will be better able to comply with relevant privacy law obligations in Australia, Hong Kong, Japan Korea, Malaysia, New Zealand and European countries, including the France, Germany, Spain and the UK.

In this post we will look at the latest developments in the market in relation to ISO 27018 and at how ISO 27018 is becoming the “go to” standard to help cloud customers to comply with their privacy obligations. We will also provide pointers for cloud customers, CSPs and regulators on how to benefit from ISO 27018.

The latest ISO 27018 developments

Regulators

Since August 2014, we have seen regulators around the world recognise and refer to ISO 27018 (and this should come as no surprise as regulators often refer to ISO standards (e.g. ISO 27001).

In Canada, the OIPC posted on its blog that ISO 27018 allows access the benefits of the cloud whilst keeping control of data (March, 2015).

In Germany, a state regulator’s cloud guidance highlights the use of ISO 27018 for cloud (October, 2014).

In Slovenia, the Information Commissioner indicated that ISO 27018 is consistent with its requirements and should help to raise the lack of confidence in cloud (January, 2015).

These regulators and others are continuing to consider the use of ISO 27018. The Belgian authority is also working on an analysis of ISO 27018 to be included in a global recommendation to customers using cloud. The PDPC in Singapore is also considering the use of ISO 27018.

Cloud customers

Customers in the public and the private sector are looking at including ISO 27018 in their RFP requirements and in their procurement contracts, in the same way they have done with other ISO standards. These are the kinds of discussions we have been having with, and recommendations we are making to, our clients.

Cloud customers have been, in the past, slow to adopt cloud services. In part, this has been because of regulatory concerns. But ISO 27018 has provided cloud customers with a convenient solution to address privacy regulations when using public cloud services. We have seen that cloud customers who use CSPs that comply with ISO 27081 will be better able to comply with relevant privacy law obligations in many jurisdictions.

Cloud services providers

CSPs can now adopt and commit to ISO 27018.

Earlier this year Microsoft, one of the leading CSPs in the market, became the first CSP to adopt and commit to ISO 27018. An independent audit confirmed its services incorporate all of the ISO 27018 controls and the ISO 27018 controls will become part of Microsoft’s contractual commitment to its customers. We expect to see other CSPs follow suit.

No standalone certification is available as yet for ISO 27018. However, compliance with ISO 27018 is demonstrated through an ISO 27001 certification that incorporates all of the controls from ISO 27018. By going through this kind of assessment process, CSPs (and their ultimately their customers) can be certain of their ISO 27018 compliance. To remain compliant, CSPs must undergo yearly independent reviews. This is what the likes of Microsoft will do.

The more regulators recognise and refer to ISO 27018 and the more customers require compliance with ISO 27018, the more CSPs will need to adopt and commit to ISO 27018. Like other ISO standards before it, ISO 27018 will become the norm.

What next for ISO 27018?

Regulators are adopting ISO 27018, customers are requiring compliance with ISO 27018 and CSPs are committing to ISO 27018 compliance. ISO 27018 is already becoming the norm (just like other ISO standards).

We expect this to continue. The adoption of cloud services is increasing across all sectors: financial services, retail, energy, logistics, manufacturers, travel and all kinds of SMEs. In the public sector governments have pushed “public cloud first” style policies in the US, Europe, Australia and Singapore. It is in the interest of governments to allow cloud services to be adopted in the public and private sectors. The benefits of cloud services are clear. But at the same time the compliance challenge will not disappear. The regulation of data is on the rise (and rightly so). Data should be regulated; it is a valuable and sensitive asset. This is why ISO 27018 is proving helpful; customers can benefit from cloud services but at the same time ensure compliance with privacy regulations.